2. Traffic Monitoring and DDoS Mitigation with Wanguard¶
Andrisoft Wanguard is an award-winning enterprise-grade software solution designed to monitor and protect large WAN networks against volumetric DDoS attacks.
Unforeseen traffic patterns affect user satisfaction and clog costly transit links. Providing reliable network services is imperative for the success of today’s organizations. As the business cost of network malfunctions continues to increase, rapid identification and mitigation of threats to network performance and reliability become critical in order to meet expected SLAs and network availability requirements. Such threats include distributed denial-of-service attacks (spoofed SYN flood, NTP amplification attacks, generic UDP floods, etc.), propagating worms, misuse of services, and interference of best-effort traffic with critical or real-time traffic. Wanguard’s network-wide surveillance of complex, multilayer, switched or routed environments together with its unique combination of features is specifically designed to meet the challenge of pinpointing and resolving any such threats.
2.1. Key Features & Benefits¶
✔ FULL NETWORK VISIBILITY – Supports all major IP traffic monitoring technologies: packet sniffing, NetFlow version 5, 7 and 9; sFlow version 4 and 5; IPFIX and SNMP
✔ COMPREHENSIVE DDOS DETECTION – Leverages an innovative traffic anomaly detection engine that quickly detects volumetric attacks by profiling the online behavior of users and by comparing over 130 live traffic parameters against user-defined thresholds
✔ ON-PREMISE DDOS MITIGATION – Protects networks by using BGP blackhole routing or Flowspec; protects services by cleaning malicious traffic using packet-scrubbing servers deployed in-line or out-of-line
✔ FAST, SCALABLE & ROBUST – Designed to run on commodity server hardware by leveraging high-speed packet capturing technologies such as DPDK, PF_RING Vanilla, PF_RING ZC and Netmap. Can run as a cluster with its software components distributed across multiple servers
✔ POWERFUL REACTION TOOLS – Executes predefined actions which automate the reaction to attacks: sends notification emails, announces prefixes in BGP, generates SNMP traps, modifies ACLs, and runs scripts that have access to hundreds of internal parameters via an easy-to-use API
✔ DETAILED FORENSICS – Captures samples of packets and saves flows for the forensic investigation of each attack. Detailed attack reports can be emailed to you, affected customer or the attacker’s ISP
✔ ENTERPRISE-GRADE WEB CONSOLE – Provides consolidated management and reporting through a highly-configurable multi-tenant web portal with customizable dashboards, user roles, and remote authentication
✔ PACKET SNIFFER – Saves packet dumps using a distributed packet sniffer that can be deployed on different network entry points. Displays packet details in a Wireshark-like web interface
✔ FLOW COLLECTOR – Contains a fully-featured NetFlow, sFlow, and IPFIX collector that saves flow data in a compressed format for long term storage. Flows can easily be searched, filtered, sorted, and exported
✔ COMPLEX ANALYTICS – Generates complex reports with aggregated data for hosts, departments, interfaces, applications, ports, protocols, countries, autonomous systems, and more
✔ REAL-TIME REPORTING – Bandwidth graphs are animated and have a short-term accuracy of just 5 seconds
✔ HISTORICAL REPORTING – You can view reports from the last 5 seconds to the last 10 years by selecting any custom time period. Bandwidth histograms contain 95th-percentile values for burstable billing
✔ SCHEDULED REPORTING – Generates PDF and HTML reports and sends them automatically by email to the interested parties at preconfigured intervals of time
✔ COMPLETE REST API – All configurations and collected data can be easily queried and referenced via a fully-featured RESTful API which exposes hundreds of internal parameters, anomaly data, graphs and tops
✔ THE LOWEST TCO – It is the most affordable on-premise DDoS detection and mitigation software solution on the market
All configurations are stored in an SQL database that is easy to query, backup and restore.
2.2. Software Components¶
Wanguard Sensor provides traffic anomaly detection, bandwidth monitoring and traffic accounting. The collected information allows you to generate complex traffic reports, graphs, and tops; instantly pin down the cause of network incidents; automate the reaction to attacks; understand patterns in application performance and make the right capacity planning decisions.
Wanguard Filter is an optional component used for generating filtering rules that isolate the malicious traffic received by the attacked destinations. It can scrub off abnormal traffic in a granular manner without impacting the user experience or resulting in downtime.
Wanguard Console is a multi-tenant web graphical user interface that functions as the administrative core of the software. It offers single-point management and reporting by consolidating the data from all Wanguard Sensors, Wansight Sensors and Wanguard Filters deployed within the network.